authelia testing

2022-05-30 16:12:24 -05:00
parent 68a3c2c124
commit 3ffcc6a996
5 changed files with 230 additions and 0 deletions
@@ -0,0 +1,33 @@
+location / {
+set $upstream_authelia http://192.168.1.30:9091; # This example assumes a Docker deployment. Change the IP and Port to your setup
+proxy_pass $upstream_authelia;
+client_body_buffer_size 128k;
+
+#Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+# Advanced Proxy Config
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
+
+# Basic Proxy Config
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network.
+set_real_ip_from 192.168.1.0/24;
+real_ip_recursive on;
+}
@@ -0,0 +1,102 @@
+# yamllint disable rule:comments-indentation
+---
+###############################################################################
+#                           Authelia Configuration                            #
+###############################################################################
+
+theme: dark #light/dark
+jwt_secret: 9DGPzQy8SZQ7rV57V3DJnw #any text or number you want to add here to create jwt Token
+
+default_redirection_url: https://www.google.com/ #where to redirect for a non-existent URL
+
+server:
+  host: 0.0.0.0
+  port: 9091
+  path: ""
+  read_buffer_size: 4096
+  write_buffer_size: 4096
+  enable_pprof: false
+  enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+
+log:
+  level: debug
+
+totp:
+  issuer: akanealw.com #your authelia top-level domain
+  period: 30
+  skew: 0
+
+authentication_backend:
+  disable_reset_password: true
+  refresh_interval: 5m
+  file:
+    path: /config/users_database.yml #this is where your authorized users are stored
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 64
+
+
+access_control:
+  default_policy: deny
+  rules:
+    ## bypass rule
+    - domain: "auth.akanealw.com" #This should be your authentication URL
+      policy: bypass
+    - domain: "bitwarden.akanealw.com" #example domain to protect
+      policy: bypass
+    - domain: "webdav.akanealw.com" #example subdomain to protect
+      policy: bypass
+    - domain: "meshcentral.akanealw.com" #example subdomain to protect
+      policy: bypass
+    
+    ## one_factor rule
+    - domain: "codeserver.akanealw.com"
+      policy: one_factor
+
+    ## two_factor rule
+    - domain: ""
+      policy: two_factor
+
+      #add or remove additional subdomains as necessary. currenlty only supports ONE top-level domain
+      #any time you add a new subdomain, you will need to restart the Authelia container to recognize the new settings/rules
+
+session:
+  name: authelia_session
+  secret: 9DGPzQy8SZQ7rV57V3DJnw #any text or number you want to add here to create jwt Token
+  expiration: 3600  # 1 hour
+  inactivity: 300  # 5 minutes
+  domain: akanealw.com  # Should match whatever your root protected domain is
+
+regulation:
+  max_retries: 3
+  find_time: 10m
+  ban_time: 12h
+
+storage:
+  local:
+    path: /config/db.sqlite3 #this is your databse. You could use a mysql database if you wanted, but we're going to use this one.
+  encryption_key: iiB7C8Bn4A2gAhzs2fWaggUug76PZ4LU #added Dec 5 2021
+  
+notifier:
+  disable_startup_check: true #true/false
+  smtp:
+    username: akanealw@gmail.com #your email address
+    password: qlvmffuzpscltdgz #your email password
+    host: smtp.gmail.com #email smtp server
+    port: 587 #email smtp port
+    sender: akanealw@gmail.com
+    identifier: proxyserver
+    subject: "[Authelia] {title}" #email subject
+    startup_check_address: akanealw@gmail.com
+    disable_require_tls: false
+    disable_html_emails: false
+    tls:
+      skip_verify: false
+      minimum_version: TLS1.2
@@ -1,6 +1,18 @@
 version: '3'

 services:
+  authelia:
+    container_name: authelia
+    hostname: authelia
+    image: authelia/authelia
+    environment:
+      - TZ=America/Chicago
+    ports:
+      - 9091:9091
+    restart: always
+    volumes:
+      - ./appdata/authelia/config:/config
+    
  dozzle:
    container_name: dozzle
    hostname: dozzle
@@ -0,0 +1,75 @@
+location /authelia {
+internal;
+set $upstream_authelia http://192.168.1.30:9091/api/verify;
+proxy_pass_request_body off;
+proxy_pass $upstream_authelia;    
+proxy_set_header Content-Length "";
+
+# Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+client_body_buffer_size 128k;
+proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $remote_addr; 
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 4 32k;
+
+send_timeout 5m;
+proxy_read_timeout 240;
+proxy_send_timeout 240;
+proxy_connect_timeout 240;
+}
+
+location / {
+set $upstream_container_name $forward_scheme://$server:$port;
+proxy_pass $upstream_container_name;
+
+auth_request /authelia;
+auth_request_set $target_url https://$http_host$request_uri;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $email $upstream_http_remote_email;
+auth_request_set $groups $upstream_http_remote_groups;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Groups $groups;
+
+error_page 401 =302 https://auth.akanealw.com/?rd=$target_url;
+
+client_body_buffer_size 128k;
+
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
+
+proxy_set_header Host $host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection upgrade;
+proxy_set_header Accept-Encoding gzip;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+set_real_ip_from 192.168.1.0/24;
+real_ip_recursive on;
+}
@@ -0,0 +1,8 @@
+users:
+  akanealw: #username for user 1. change to whatever you'd like
+    displayname: "akanealw" #whatever you want the display name to be
+    password: "$argon2i$v=19$m=1024,t=1,p=8$eTQ3MXdqOGFiaDZoMUtMVw$OeHWQSg9zGKslOepe5t4D1T9BZJjHA1Z+doxZrZYDgI" #generated at https://argon2.online/
+    email: akanealw@gmail.com #whatever your email address is
+    groups: #enter the groups you want the user to be part of below
+      - admins
+